Koffeeware photo products and GDPR

GDPR (General Data Protection Regulation) is around the corner and has quite some implications for e-commerce web sites.

Koffeeware being a provider of photo centric e-commerce environments, we are obviously concerned by privacy in general and GDPR in particular.

Privacy by design

First of all, our products have always been designed with privacy as a concern. This translates into the fact that our tools only collect really needed data, the data needed to properly process and ship orders (when relevant).

Going into the details

Creator Five

Creator Five does not collect any personal data. The only data stored by Creator Five is an anonymous ID to the creations stored. The link between the customer account and the creation’s ID is to be managed by the host site.


inbox.photo only stores basic information to identify the customer at in-shop pick-up. inbox.photo partners can add additional data collection fields. In this case, it is their responsibility to clearly state what is done with the collected data.

Photo Web Shop

Photo Web Shop being a complete photo ecommerce environment, personal data linked to shipment of orders need to be collected and stored. This data is only used for order related communication. An additional field collects consent for marketing communication. The customer can update this information at any time in his account.
Accounts are stored on a store-by-store basis, each store manager defines his policy in term of data usage outside of Koffeeware’s control.

GDPR roles

To understand and implement GDPR correctly, roles need to be clearly defined.

  • As per GDPR, Koffeeware acts as a Data Processor.
  • Koffeeware’s customers act as Data Controllers as they have to define how and why personal data is used and therefore need to make sure to clearly publicize their Privacy Policy. Furthermore, merchants are responsible for the collection and safe storage of their customers’ data as well as gaining consent from their customers for their marketing usage.

The idea behind a privacy policy statement as per GDPR is “Say what you do and do what you say.”.

Data Protection Officer (DPO)

In compliance with the GDPR, we have named a Data Protection Officer (DPO).

Third party service providers

Koffeeware uses the following third party service providers:

  • Databases are stored on Amazon Web Services servers located in Ireland.
  • Our email platform is provided by Mailjet who claims having their servers located in France.

Regarding Google Analytics, we invite our customers to set the data storage settings in accordance with their Privacy Policy.


This article may be updated to match updates to our products.

Interested in our solutions? Feel free to request for more information:

First Name:
Last Name:*
Office Phone:
Email Address:*
Company Name:

Leave a Reply

Your email address will not be published. Required fields are marked *